trust-dns: set it to NOT be the system resolver for servo

trust-dns recursor is too beta for servo

hosts/by-name/servo/default.nix

@@ -22,6 +22,7 @@
     "sane-scripts.stop-all-servo"
   ];
   sane.services.dyn-dns.enable = true;
+  sane.services.trust-dns.asSystemResolver = false;  # TODO: enable once it's all working well
   sane.services.wg-home.enable = true;
   sane.services.wg-home.visibleToWan = true;
   sane.services.wg-home.forwardToWan = true;

hosts/common/net/dns.nix

@@ -21,42 +21,36 @@
 # - each namespace can use a different /etc/resolv.conf to specify different DNS servers (see `firejail --dns=...`)
 # - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
 #   - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
-{ lib, ... }:
+{ config, lib, ... }:
+lib.mkMerge [
 {
-  # # use systemd's stub resolver.
+  sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
-  # # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
+  sane.services.trust-dns.asSystemResolver = lib.mkDefault true;
-  # # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
+}
-  # # in servo's ovnps namespace to use the provider's DNS resolvers.
+(lib.mkIf (!config.sane.services.trust-dns.asSystemResolver) {
-  # # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
+  # use systemd's stub resolver.
-  # # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
+  # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
-  # services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
+  # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
-  # # without DNSSEC:
+  # in servo's ovnps namespace to use the provider's DNS resolvers.
-  # # - dig matrix.org => works
+  # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
-  # # - curl https://matrix.org => works
+  # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
-  # # with default DNSSEC:
+  services.resolved.enable = true;  #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
-  # # - dig matrix.org => works
+  # without DNSSEC:
-  # # - curl https://matrix.org => fails
+  # - dig matrix.org => works
-  # # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
+  # - curl https://matrix.org => works
-  # services.resolved.dnssec = "false";
+  # with default DNSSEC:
-  # networking.nameservers = [
+  # - dig matrix.org => works
-  #   # use systemd-resolved resolver
+  # - curl https://matrix.org => fails
-  #   # full resolver (which understands /etc/hosts) lives on 127.0.0.53
+  # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
-  #   # stub resolver (just forwards upstream) lives on 127.0.0.54
+  services.resolved.dnssec = "false";
-  #   "127.0.0.53"
-  # ];
-
-  services.resolved.enable = lib.mkForce false;
-  sane.services.trust-dns.enable = true;
-  sane.services.trust-dns.instances.localhost = {
-    listenAddrs = [ "127.0.0.1" ];
-    enableRecursiveResolver = true;
-    # append zones discovered via DHCP to the resolver config.
-    includes = [ "/var/lib/trust-dns/dhcp-configs/*" ];
-  };
   networking.nameservers = [
-    "127.0.0.1"
+    # use systemd-resolved resolver
+    # full resolver (which understands /etc/hosts) lives on 127.0.0.53
+    # stub resolver (just forwards upstream) lives on 127.0.0.54
+    "127.0.0.53"
   ];
-
+})
+{
   # nscd -- the Name Service Caching Daemon -- caches DNS query responses
   # in a way that's unaware of my VPN routing, so routes are frequently poor against
   # services which advertise different IPs based on geolocation.
@@ -77,3 +71,4 @@
   services.nscd.enable = false;
   system.nssModules = lib.mkForce [];
 }
+]

modules/services/trust-dns/default.nix

@@ -134,6 +134,10 @@ in
         default = false;
         type = types.bool;
       };
+      asSystemResolver = mkOption {
+        default = false;
+        type = types.bool;
+      };
       instances = mkOption {
         default = {};
         type = types.attrsOf instanceModule;
@@ -202,10 +206,19 @@ in
       )
     ];
 
-    environment.etc."NetworkManager/dispatcher.d/60-trust-dns-nmhook" = lib.mkIf
+    environment.etc."NetworkManager/dispatcher.d/60-trust-dns-nmhook" = lib.mkIf cfg.asSystemResolver {
-      (lib.any (c: c.enableRecursiveResolver) (builtins.attrValues cfg.instances))
-    {
       source = "${trust-dns-nmhook}/bin/trust-dns-nmhook";
     };
+
+    sane.services.trust-dns.instances.localhost = lib.mkIf cfg.asSystemResolver {
+      listenAddrs = [ "127.0.0.1" ];
+      enableRecursiveResolver = true;
+      # append zones discovered via DHCP to the resolver config.
+      includes = [ "/var/lib/trust-dns/dhcp-configs/*" ];
+    };
+    networking.nameservers = lib.mkIf cfg.asSystemResolver [
+      "127.0.0.1"
+    ];
+    services.resolved.enable = lib.mkIf cfg.asSystemResolver (lib.mkForce false);
   };
 }